Contact: security@phishpin.com Expires: 2027-05-23T00:00:00Z Preferred-Languages: en Canonical: https://www.phishpin.com/.well-known/security.txt # PhishPin Security Vulnerability Disclosure Policy # RFC 9110 Compliance: https://tools.ietf.org/html/draft-foudil-securitytxt # ============================================================================== # RESPONSIBLE DISCLOSURE POLICY # ============================================================================== # Thank you for helping us keep PhishPin secure! # # If you discover a security vulnerability, please: # 1. DO NOT publicly disclose the vulnerability # 2. DO NOT modify or delete any data # 3. DO contact security@phishpin.com with: # - Detailed description of the vulnerability # - Steps to reproduce # - Potential impact # - Your contact information # ============================================================================== # SECURITY CONTACT # ============================================================================== # Email for security reports Contact: security@phishpin.com # Response time # We aim to respond to security reports within 24-48 hours # Critical vulnerabilities will be prioritized immediately # ============================================================================== # REPORTING METHODS # ============================================================================== # Primary: Email (PGP key below) # Email: security@phishpin.com # Alternative Contact Points: # - Phone: +1-XXX-XXX-XXXX (if available) # - Security Bug Bounty: https://www.phishpin.com/bug-bounty # ============================================================================== # SECURITY VULNERABILITIES WE CARE ABOUT # ============================================================================== # High Priority: # - SQL Injection # - Cross-Site Scripting (XSS) # - Cross-Site Request Forgery (CSRF) # - Remote Code Execution (RCE) # - Authentication Bypass # - Authorization Bypass # - Data Exposure # - Cryptographic Failures # Medium Priority: # - Path Traversal # - Information Disclosure # - Denial of Service (DoS) # - Weak Cryptography # - Security Misconfiguration # - Insecure Dependencies # ============================================================================== # WHAT WE DO NOT CONSIDER VULNERABILITIES # ============================================================================== # The following are typically NOT security vulnerabilities: # - Issues in third-party libraries (report to upstream maintainers) # - Missing HTTP security headers (we have them) # - Weak passwords (user's responsibility) # - Social engineering/phishing reports (not our scope) # - Feature requests # - Configuration issues on client side # - Publicly documented CVEs in libraries we use # ============================================================================== # SCOPE # ============================================================================== # In Scope: # - https://www.phishpin.com and subdomains # - https://api.phishpin.com # - Mobile applications # - Our SaaS platform # - Core security functionality # Out of Scope: # - Third-party services integrated with PhishPin # - User content on our platform # - Our blog/documentation (unless security-related) # - Third-party plugins or extensions # ============================================================================== # BUG BOUNTY PROGRAM # ============================================================================== # We offer bounties for verified security vulnerabilities # Bounty amounts are determined based on: # - Severity (CVSS score) # - Complexity of exploitation # - Impact on users # - Quality of report # Visit: https://www.phishpin.com/bug-bounty for details # ============================================================================== # POLICY # ============================================================================== # We commit to: # ✓ Acknowledge receipt of security reports within 24 hours # ✓ Provide initial assessment within 48 hours # ✓ Keep you updated on progress # ✓ Credit you in our security advisories (if desired) # ✓ Not pursue legal action against good-faith reporters # ✓ Never intentionally disclose without permission # You commit to: # ✓ Not accessing data beyond what's necessary to prove vulnerability # ✓ Not modifying or deleting data # ✓ Not performing DoS/DDoS attacks # ✓ Not publicly disclosing until we've patched # ✓ Working with us in good faith # ============================================================================== # PATCH TIMELINE # ============================================================================== # Critical Vulnerabilities: # - Patch: Within 24-48 hours # - Release: Within 72 hours # High Severity: # - Patch: Within 1 week # - Release: Within 2 weeks # Medium Severity: # - Patch: Within 2 weeks # - Release: Within 4 weeks # Low Severity: # - Patch: Within 1 month # - Release: With next scheduled update # ============================================================================== # SECURITY ADVISORIES # ============================================================================== # View our security advisories and patches: # https://www.phishpin.com/security-advisories # ============================================================================== # SECURITY BEST PRACTICES FOR USERS # ============================================================================== # 1. Keep your PhishPin account secure # - Use strong passwords (16+ characters) # - Enable two-factor authentication # - Log out from unused sessions # 2. Report phishing attempts # - If you see a phishing attack, report it # - Help us improve our threat detection # 3. Update regularly # - Keep your browser updated # - Update your operating system # - Use current versions of PhishPin # 4. Use HTTPS only # - Always access phishpin.com via HTTPS # - Never use HTTP links to our platform # ============================================================================== # TRANSPARENCY & DISCLOSURE # ============================================================================== # We believe in transparency: # - We publish security advisories for all fixed vulnerabilities # - We acknowledge security researchers responsibly # - We follow 90-day disclosure timeline (CVD) # ============================================================================== # COMPLIANCE # ============================================================================== # PhishPin complies with: # - OWASP Top 10 mitigation strategies # - NIST Cybersecurity Framework # - ISO/IEC 27001 principles # - SOC 2 Type II requirements # - GDPR data protection requirements # - CCPA privacy requirements # ============================================================================== # SECURITY TEAM # ============================================================================== # Security Review: Quarterly # Penetration Testing: Annually # Vulnerability Scanning: Continuous # Dependency Updates: Monthly # ============================================================================== # CHANGELOG # ============================================================================== # 2026-05-23: Initial security.txt # - Established disclosure policy # - Created bug bounty program # - Set patch timeline guidelines # ============================================================================== # ADDITIONAL RESOURCES # ============================================================================== # OWASP: https://owasp.org/ # NIST: https://www.nist.gov/ # CWE: https://cwe.mitre.org/ # CVE: https://cve.mitre.org/ # security.txt: https://securitytxt.org/ # ============================================================================== # THANK YOU # ============================================================================== # We appreciate security researchers who responsibly disclose vulnerabilities. # Your work helps us keep our users safe and our platform secure. # # Questions? Email security@phishpin.com Expires: 2027-05-23T00:00:00Z